* Sendmail version 8.13.5 and prior
* Sendmail version 8.12.10 and prior
* Sendmail version 8.13.6
Race condition DoS
Sendmail contains a signal race vulnerability when receiving and processing mail data from remote clients. Sendmail utilizes a signal handler for dealing with timeouts that is not async-safe and interruption of certain functions by this signal handler will cause static data elements to be left in an inconsistent state. These data elements can be used to write data to invalid parts of the stack (or heap in some scenarios), thus taking control of the vulnerable process.
In order to exploit this vulnerability, an attacker simply needs to be able to connect to sendmail SMTP server. This is a multi-shot exploit, meaning the attacker can attempt to exploit it an indefinite amount of times, since sendmail spawns a new process for each connected client.
Unsafe usage of setjmp and longjmp functions allow attackers to redirect memory jumps and execute arbitrary code.
When calculating the header size, an integer overflow may occur when too big header size is needed to allocate on unsigned integer causing an overflow and allow to execute arbitrary code.